The first century Roman poet satirist, Juvenal (c.55 – 127 AD) is credited with first uttering the famous phrase “Quis custodiet ipsos custodes”. It can be translated as “Who guards the guards?”, or “Who watches the watchers? Who watches the watchers is the idea that political and security power structures require transparency and oversight or they are likely to abuse their power resulting in chilling effects on society, culture and economic activity. It is a political concept that dates back to Plato’s Republic. And it finds renewed relevance when applied to Data Broker Breaches.
This paper examines a terrifying proposition. The custodians of the largest, most cleansed and normalized data sets – highly accurate and complete data profiles on hundreds of millions of Americans – are being breached as regularly as any other organization. And those individuals and organizations operating in the absence of strong external data privacy policies and best practices are at the highest risk for suffering the consequences of Data Broker breach.
In 2012, a well-known Data Broker, Acxiom, claimed to have files on about 500 million active consumers worldwide, with about 1,500 data points per person. By 2023, Acxiom (renamed LiveRamp) claimed to have files on 2.5 billion people and over 3,000 data points per person. It is clear that the volume and granularity of the data being aggregated by Data Brokers is growing precipitously and without slowing.
Yet, no one consented to allow Data Brokers to act as “watchers”, collecting and organizing exhaustive digital chronicles of our lives. No one agreed to allow them to compile these detailed dossiers, for profit, despite the substantial privacy risks inherent in their business models. No one was even asked or informed. What’s worse, there is very little to no oversight of these “watchers”. Who is guarding the guards of the world’s personal data troves making sure our most precious personal data is safe from theft, fraud and abuse? Sadly, the consequences of this travesty against personal privacy are all too predictable. They are already being suffered by thousands of organizations and hundreds of millions of individuals whose sensitive information has been compromised by Data Broker breach.
It may seem counterintuitive. While one might imagine that organizations entrusted with such sensitive information would employ exceptional protective measures against hackers and data breaches, the Data Broker industry largely does no more than apply typical, enterprise-grade cyber security. As Privacy Bee for Business continues to document, cyber security alone is not enough. This means the Data Broker industry is just as vulnerable as any other.
When a Data Broker breach occurs, it yields damage an order of magnitude more than the breach of most any other kind of organization. The data stolen during a breach of a healthcare company or a university will surely contains some individually sensitive data points useful to scammers. By contrast, the data amassed by Data Brokers is comprehensive in volume, highly specific and contextually rich.
The individual profiles Data Brokers produce are built over time using thousands of data points culled from numerous, independent sources and are painstakingly cataloged. They contain everything necessary to completely assume a person’s identity. Or to stage highly contextual and effective social engineering attacks used to empty bank accounts, deploy ransomware attacks, target high profile executives for physical attack/assassination, and to steal priceless intellectual property and state secrets.
Considering the privacy implications of maintaining deep repositories of such explicitly sensitive data, there presently exists little to no regulation in the US ensuring these companies are studiously protecting the public interest. There are no rules whatsoever regarding any minimum standard measures of data privacy and information security. In fact, the Data Broker industry is actually more vulnerable than most others precisely because its product – highly distilled, cleansed, normalized and cross-reference-able data profiles on millions of individuals – is extremely valuable.
Data Brokers have become a prime target for threat actors because their product can be resold repeatedly to multiple other threat actors, and also because the data represents a high value “hostage” for ransomware attacks.
CyberNews reported on a 2023 study wherein researchers analyzed 506 registered, US-based data brokers and found that 23 (4.5%) of these companies had suffered data breaches. For context, the Interstate Technology and Regulatory Council in Washington DC reported 3,205 compromising incidents for the US in 2023 including 3,122 breaches of data, 25 data exposures, two data leaks and 56 compromises of an unknown nature.
The graphic below borrowed from the same CyberNews article illustrates the scope of some of the largest Data Broker breaches to date (at time of its publication in 2023).

-Image attribution: CyberNews
Before examining the shameful records of some of the world’s leading Data Broker companies, including the National Public Data Breach – the most current and substantial Data Broker breach (as of August 2024) – read the following refresher on how Data Brokers work.
The Data Brokers’ Business Model – A Refresher
Data brokers make their living by gathering, inferring, or purchasing personal information to sell, license, or otherwise share and monetize. Almost always, they share/sell individuals’ data without their full knowledge or consent with various buyers. The buyers run the gamut from legitimate organizations such as banks, health insurance companies, potential employers, law enforcement agencies such as Immigration and Customs Enforcement (ICE) and the Federal Bureau of Investigation (FBI), etc. Some Data Broker customers are of questionable integrity like predatory lenders and unscrupulous actors like HR poachers. Many customers of the Data Broker are criminal scammers and threat actors from hostile governments, political and religious extremists. Data Brokers are under no obligation to question the motives or investigate the provenance of their customers.
Less frequently discussed but of equal concern are the risks of breaches inherent in amassing and prepackaging large amounts of data. Data brokers, by their very nature, possess information about individuals, and for some, monetizing this data is their core business model. This can involve selling the information outright or enabling third parties to use it for targeted advertising—ranging from showing a Samsung advertisement to someone looking for a new home theater system to, in more extreme and harmful cases, allowing anti-abortion groups to target women in clinic waiting rooms.
Many other companies engage in data brokering as a side business. For instance, many major internet service providers (ISPs) in the United States monetize customer data by selling ad access, sharing it, or through other means.
The industry is remarkably lucrative. Worldmetrics.org statistics reveal the “data broker industry is expected to grow at a CAGR of over 10% from 2021 to 2026. Data broker revenue is projected to reach $262.28 billion by 2025.”
Other eye-popping stats from Worldmetrics:
• Data brokers collect and sell an average of 1,500 data points per person.
• The data broker industry employs over 6,000 people in the United States.
• Over 4,000 data broker companies operate worldwide.
• Around 93% of marketers use data to make strategic decisions.
• Data brokers process over 5,000 terabytes of data every day.
• Data brokers trade information on over 80% of American consumers.
• In the US, 68% of companies have dedicated data analytics teams.
• Data brokers hold information on more than 500 million consumers globally.
• Over 70% of consumers are concerned about how their personal data is being used by data brokers.
• The average revenue per employee in the data broker industry is $76,000.
The (Lack of) Regulatory Burden Facing Data Brokers
There are no requirements or limitations on who can become a Data Broker in the US. Renowned cyber security and data privacy expert, Brian Krebs writes at his popular infosec industry site, KrebsonSecurity, “You see, here in America, virtually anyone can become a consumer data broker. And with few exceptions, there aren’t any special requirements for brokers to show that they actually care about protecting the data they collect, store, repackage and sell so freely.” No one is actively monitoring the trafficking of weapons-grade PII (Personally Identifiable Information). No one is “watching the watchers”.
All these companies are vulnerable to data breaches, and numerous data brokers – including some of the largest in the world – have already exposed individuals’ information due to inadequate security practices.
Recent Data Broker Breaches of Note
The breach of Data Broker defenses is so widespread it could easily fill ten pages of this document. So for illustrative purposes, what follows is a representative sampling of some recent, high-profile examples. Beginning with the most recent instance which has been regarded by the media as the worst such Data Broker breach in history.
July 21, 2024 – NationalPublicData.com
Online cybercrime group Breachforums released more than 4 terabytes of data they claimed was stolen from NationalPublicData.com, a consumer data and background check firm based in Florida.
This claim was confirmed by breach tracking service HaveIBeenPwned.com which determined the leak to be the same information first offered for sale by a well-known cybercriminal known as “USDoD” in April 2024. Indeed, independent research confirmed that on April 7, USDoD posted a for sale on Breachforums.com, four terabytes of data (2.9 billion rows of records) they claimed was taken from NationalPublicData.com. USDoD offered small samples of the data to prove its veracity. These samples included rows of names, addresses, phone numbers, and Social Security Numbers (SSNs). The asking price for the full data set was listed at $3.5 million.
HaveIBeenPwned.com’s Troy Hunt set out to verify the claim that the NationalPublicData.com breach was the largest Data Broker breach in history. His suspicion surrounding this claim was the fact that the “2.9 billion records” number far outstripped the actual number of people living in the US and EU combined. Hunt analyzed the leaked data and found it to be a compiled collection of consumer and business records, including the real names, addresses, phone numbers and SSNs of millions of Americans (both living and deceased).
NationalPublicData.com finally publicly acknowledged the breach in mid-August 2024. In a statement, they said, “there appears to have been a data security incident that may have involved some of your personal information. The incident appears to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.” The statement also revealed the information “suspected of being breached” contained name, email address, phone number, social security number, and mailing address(es).
“We cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you,” the statement continues. “We have also implemented additional security measures in efforts to prevent the recurrence of such a breach and to protect our systems.”
Exactly how many unique SSNs were included in the leaked data was not revealed by Hunt’s research. However, Atlas Data Privacy Corp. researchers reported 272 million unique SSNs in the entire records set, finding most records included a name, SSN, and home address, with 26 percent of those records containing a phone number. Atlas said they verified 5,000 addresses and phone numbers, and found the records pertain to people born before Jan. 1, 2002 (with very few exceptions). In fact, Atlas discovered the average age of the consumer in these records was 70. Moreover, at least two million of the stolen records are related to people whose date of birth would make them more than 120 years old today.
February 2023 – PeopleConnect
This Data Broker, owned by the same group behind background search services TruthFinder and Instant Checkmate, acknowledged a breach affecting 20 million customers who paid this Data Broker to run background checks. The data exposed included email addresses, hashed passwords, first and last names, and phone numbers.
October 2019 – People Data Labs
This San Francisco data broker offers people-search services linking hundreds of millions of email addresses, LinkedIn and Facebook profiles and more than 200 million valid cell phone numbers.
Dark web researchers found the trove of unsecured data sitting on a single server. According to Wired magazine, malicious hackers then stole the data on more than 1.5 billion people from People Data Labs.
September 2017 – Equifax
The PII of nearly 150 million people was exposed in this Data Broker breach. In July 2019 Equifax settled with the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), and states—agreeing to pay at least $575 million in fines. Indictments were later handed down to four state-sponsored Chinese military hackers for perpetrating the breach. Exfiltrated data ranged from names and addresses to Social Security Numbers, drivers’ license numbers, and more, and plenty (if not all) of that information was gathered by Equifax for the purposes of brokering it.
Too Many Others to List
The list of top-tier Data Brokers suffering data breaches is a veritable who’s who of industry leaders. Names like LexisNexis, Dun & Bradstreet, Oracle, Exactis, and Kroll Background America are only a small sampling of those who have allowed their potent product to be exfiltrated. A position paper written by Justin Sherman for Duke University’s Sanford School of Public Policy contains a great recap of some of the most outrageous Data Broker breaches and the impact of these glaring failures on public policy and governmental response.
The best analogy characterizing the threat of Data Broker breaches comes, once again, from Brian Krebs. Krebs writes,
“These data brokers are the digital equivalent of massive oil tankers wandering the coast without GPS or an anchor, because when they get hacked, the effect is very much akin to the ecological and economic fallout from a giant oil spill.
It’s an apt analogy because the dissemination of so much personal data all at once has ripple effects for months and years to come, as this information invariably feeds into a vast underground ocean of scammers who are already equipped and staffed to commit identity theft and account takeovers at scale.
It’s also apt because much like with real-life oil spills, the cleanup costs and effort from data spills — even just vast collections of technically “public” documents like the NPD corpus — can be enormous, and most of the costs associated with that fall to consumers, directly or indirectly.”
While governmental response to emerging tech and concomitant threats is always slow in coming, it is finally becoming clear that there must be some intervention on behalf of the people.
Is Regulation on the Way?
As is often the case, the United States intelligence services and military issued a distant early warning of threats gathering on the horizon. That’s why in December of 2022, the US Naval Institute issued a statement explicitly calling Data Brokers a national security risk. Their assessment, through the prism of national security, carried a good deal of weight in the eyes of US lawmakers who could take steps to address the challenge.
The USNI published a 2022 document written by Capt. Steven J. Arango of the United States Marine Corps titled, “Data Brokers are Threat to National Security” in which he wrote, “China, Russia, and Iran can go directly to data brokers to purchase information about service members and veterans or, if that fails, they can just steal it. Almost every top broker has been hacked at some point: Acxiom was hacked in 2003, Epsilon in 2011, and Experian in 2015, to name just a few.”
It was suspected that Chinese state-sponsored assets were behind the hack of Equifax, yielding sensitive information on nearly half of all Americans. USNI concluded, “Regardless of their method, adversaries want this information and will acquire it.” Data Broker breach is a superb way for a determined adversary to capture all the pertinent and highly specific information it could ever want in one fell swoop.
Consumer advocacy groups are also awakening to the present danger of Data Broker breaches. An article published in the wake of the NationalPublicData breach by the National Consumer Law Center (NCLC) highlights the September 2023 proposal issued by the US Government’s Consumer Financial Protection Board. The CFPB’s proposal involved regulating Data Brokers, treating them as “consumer reporting agencies” under the Fair Credit Reporting Act (FCRA). By regulating Data Brokers under the FCRA Broker organizations would be held to the strictures of the Safeguards Rule issued by the Federal Trade Commission (FTC). It would further compel Data Brokers like National Public Data and others to establish and maintain a formal information security program. Best of all, FCRA coverage would demand Data Brokers ensure anyone seeking to obtain records from the company has a “permissible purpose” under the FCRA, such as an application for credit or employment by the consumer, and follow procedures to ensure accuracy of its information.
“The massive data breach at National Public Data demonstrates why the CFPB must proceed quickly with regulating data brokers under the FCRA,” said Chi Chi Wu, senior attorney at the National Consumer Law Center. “Data brokers hold massive amounts of personal information for millions of Americans, which can be weaponized against us when stolen
The Federal Trade Commission (FTC) has also recently made some aggressive motions toward reining in the unregulated space occupied by Data Brokers in the wake of the most egregious recent Data Broker breaches. In a January 2024 press release titled, “FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data”, the Commission announced it was intervening to prohibit Data Broker X-Mode Social and its successor Outlogic from sharing or selling any sensitive location data. The FTC alleged the Data Broker company had been selling precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters. The press release characterized this unprecedented step saying the “action underscores the FTC’s strong commitment to restraining the collection, sale, or disclosure of consumer’ sensitive location data.”
Tate-Ryan Mosley offers analysis of this promising first step toward emerging regulation of this risk-laden industry in a January 2024 piece published at the MIT Technology Review. Mosley writes of the recent FTC action, “It’s a major move that could signal some more aggressive action from policy makers to curb the corrosive effects that data brokers have on personal privacy. This is but one small step toward the establishment of an effective regulatory framework to address this vexing challenge. But it is only an embryonic step. The problem is vast and as the Electronic Privacy Information Center (EPIC) notes, the absence of any complete standard U.S. privacy law permits the data broker industry to continue to build profiles on millions of Americans at great cost to our privacy, civil rights, national security, and democracy. EPIC issues the clarion call, “Congress must pass comprehensive privacy legislation and create a U.S. Data Protection Agency to regulate the out-of-control data broker industry.
External Data Privacy Management Is Essential to Protection
The currently proposed regulations are a great first step forward. Yet, they won’t suffice even if they are somehow adopted and implemented. Privacy Bee for Business urges readers, not to wait for government regulatory action. It could take years to achieve at scale during which time your organizational and personal data remains at high risk for being stolen in Data Broker breaches.
So, what can be done in the interim to effectively protect one’s self and one’s organization from becoming a victim while the governmental and regulatory agencies slowly grind toward some kind of action? The answer lies in aggressive application of policies and practices to secure presently unsecured external data.
Renowned Australian web security consultant Troy Hunt is a respected expert focused on public education and outreach on security topics. Hunt is the brainchild behind HaveIBeenPwned.com, a data breach search website that allows users to see if their personal information has been compromised. Hunt absolutely nails it when he talks about the only effective means for ensuring your data is not compromised in the next, inevitable Data Broker breach. Hunt says, “The database [of any Data Broker] DOES NOT contain information from individuals who use data opt-out services. Every person who used some sort of data opt-out service was not present.”
Removing one’s personal data – specifically the unsecured data – from all corners of the internet is a daunting task. And one that requires more than a one-time effort. It must be a discipline that individuals and organizations regard as a regular, preventative maintenance effort like changing the oil in one’s car on a regular interval. It is a topic Privacy Bee for Business has written about in detail in the white paper, “How to Stop Data Brokers – Continuity is Critical”.
The reality is scanning the web for one’s exposed, unsecured data and then managing deletions of said exposures must be an ongoing discipline and practice. No service or solution can scan and identify every scrap of unsecured external data and then achieve all the deletions once and for all. To successfully protect privacy and mitigate the significant risks of unsecured external data, organizations must sustain an effort indefinitely. Over time, by continuing to scan for, isolate and remove the unsecured data from wherever it is found, the availability of one’s personal data begins to tighten. Failure to address privacy management as a discipline in today’s threat environment is akin to professional malpractice. Privacy management is a fact of life in business today and must be addressed as such.
How to Avoid Data Broker Breach with Privacy Bee Solutions
100% Free Privacy Threat Monitoring and External Privacy Data Audits are the best place to begin to identify where unsecured data for all your employees may exist all over the internet.
For the Business customer, Privacy Bee’s External Privacy Data Audit provides in-depth reporting on external exposures and their cost on a company’s productivity. Turning those stats into figures, the financial risk assessment provides a conservative estimate of the estimated cost these external exposures have. The platform provides full employee privacy audits, covering how many employees have been exposed, what type of exposures they’ve had, and the source of the exposure. The tool sets detect recent critical vulnerabilities and target where to start cleaning up employee data.
The Privacy Risk Assessment (PRA), also 100% free, is roughly 75 questions and takes about an hour to complete. It explores how customer and employee data is managed by your organization, illuminating any unmitigated risk and opportunities for improvement. Once completed, the answers help derive your organization’s Privacy Risk Score.
Once these audits and assessments have identified where the unsecured data lives, it is time to embark on an ongoing campaign to remove it.
Data Broker Removal services from Privacy Bee mobilize an army of “worker bees” to continuously issue, manage and reissue DSARs to all identified unsecured data. Privacy Bee manages the requests, correspondence and ongoing steps needed to erase customer data from the more than 350 data broker and People Search Sites in the US. This labor-intensive process is handled by the Privacy Bee solution, so users are not burdened with the administrative burden. Privacy Bee boasts the industry’s highest removal success rating.
Marketing List Removal service is critical to businesses seeking to minimize unwanted distractions to their workforce derived from spam and targeted marketing. This is also useful in mitigating HR poaching.
Privacy Preference Management on the Privacy Bee platform provides the ability for each user to create their own “whitelist” or “privacy bubble” by cataloging the list of all sites a user visits or has visited. Then enabling the user to allow trusted sites to collect their data while barring distrusted sites from doing so. For the Business customer, this type of selectivity allows all company business machines to configure trusted sites and enforce prohibitions against any user visiting web equities deemed to be a privacy risk for the client company. The Business solution provides graphical visualizer dashboards with risk assessment scoring for every website, so that management can gauge the risk/reward profile of all sites the workforce may visit and interact with.
Vendor Risk Management is crucial to protecting the internal workforce as well because all best efforts can be defeated if the organization’s business partners are not exercising the same diligence in protecting privacy. If a vendor or other business partner has any access to information systems, then it is imperative that they be covered under the same privacy umbrella. Privacy Bee is fully extensible to provide such coverage to any organization’s external partners and business connections.
Don’t wait for the slow moving wheels of government regulators to find protection against being swept up in the next Data Broker breach. Reach out today to learn how to license Privacy Bee to protect your organization from the threats associated with unsecured external data.
